Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

On Sept. 28, the company publicly admitted that it was the victim of a data breach that impacted approximately 50 million user accounts. Out of an abundance of caution, Facebook is resetting the access tokens for a total of 90 million user accounts. The breach was apparently discovered in the afternoon on Sept. 25 and was quickly remediated.

"Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else," Guy Rosen, vice president of product management at Facebook, wrote in an advisory. "This allowed them to steal Facebook access tokens which they could then use to take over people's accounts."

Further reading

An access token is not the same as the username and password combination that Facebook users need to log into the social networking service. Rather, once a user logs into Facebook with their credentials, the site assigns an access token, which keeps the user logged in. It is those access tokens that were accessed in the data breach.

Facebook has now reset 90 million user access tokens, meaning those users have been logged out of the system and will need to log back in. Rosen noted that there is no need for users to change their existing password.

View As

Facebook has shut off the "View As" feature as it conducts a review of how the attack occurred. Rosen said that at this early stage it appears that a change made in July 2017 to the video uploading feature in Facebook somehow impacted the View As functionality.

Facebook has not yet publicly stated how long attackers may have been able to access user tokens and if they have been at risk the entire time since the July 2017 change.

"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," Rosen wrote. "We also don’t know who’s behind these attacks or where they’re based."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.